
United States Patent and Trademark Office 



UNITED STATES DEPARTMENT OF COMMERCE 
United States Patent and Trademark Office 
Address: COMMISSIONER FOR PATENTS 
P.O. Box 1450 

Alexandria, Virginia 223IJ-I450 
www.uspto.gov 



APPLICATION NO. 



FILING DATE 



FIRST NAMEDTNVENTOR 



ATTORNEY DOCKET NO. 



CONFIRMATION NO. 



09/468,377 



12/20/1999 



YURJJ ANDRU BARANSKY 



7590 07/12/2004 

DOUGLAS W CAMERON 
INTELLECTUAL PROPERTY LAW DEPT 
IBM CORPORATION P O BOX 218 
YORKTOWN HEIGHTS, NY 10598 



Y0999-558 



3573 



EXAMINER 



NALVEN, ANDREW L 



ART UNIT 



PAPER NUMBER 



2134 

DATE MAILED: 07/12/2004 



Please find below and/or attached an Office communication concerning this application or proceeding. 



PTO-90C (Rev. 10/03) 



• 


Application No. 


~w — 


Applicant(s) 




Office Action Summary 


09/468,377 




BARANSKY ET AL. 


Examiner 
Andrew L Nalven 




Art Unit 

2134 





The MAILING DATE of this communication appears on the cover sheet with the correspondence address ~ 
Period for Reply 
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THE MAILING DATE OF THIS COMMUNICATION. 
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DETAILED ACTION 

1. Claims 1-17 are pending. 

2. Amendment submitted 20 May 2004 has been received and entered. 

Response to Arguments 

3. Applicant's arguments filed 20 May 2004 have been considered, but are moot in 
view of the new grounds of rejection. 

Claim Rejections - 35 USC § 103 

4. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

5. Claims 1-3, 5-7, 12-13, 15 and 16 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Mi et al US Patent No. 6,418,472 in view of Olden US Patent No. 
6,460,141 and Aziz US Patent No. 5,604,803. Mi teaches a system and method for 
using Internet based caller ID for controlling access to an object stored in a computer. 
Olden teaches a security and access management system. Aziz teaches a method for 
secure remote authentication in a public network. 

6. With regards to claims 1,12, and 15, Mi teaches the generating of a first key 
known only to the content provider (Mi, column 7 lines 21-27, column 8 lines 47-61 ), the 
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encrypting of a second key using the first key and an encryption algorithm (Mi, column 8 
lines 4-10, column 4 lines 21-28), decrypting the second key using the first key when 
the user desires access to data (Mi, column 8 lines 32-46), and accessing the data 
using the second key (Mi, column 8 lines 32-46). Mi lacks a reference to the use of a 
one-time password and the storing of the encrypted second key on the client machine. 
Aziz teaches the use of a one-time password (Aziz, column 6 lines 61-64) and Olden 
teaches the storing of an encrypted second key on the client machine (Olden, column 
23 line 55 - column 24 line 28 "cookie"). At the time the invention was made, it would 
have been obvious to a person of ordinary skill in the art to utilize Olden's method of 
storing an encrypted cookie on a client machine and Aziz's method of using one-time 
passwords with Mi's access control system because it offers the advantage of relieving 
the user of the hassle of having to enter authentication information each time access is 
requested to a service or object (Olden, column 23 lines 55-61 ) and because it reduces 
the likelihood of an unauthorized user gaining access to user passwords (Aziz, column 
2 lines 1-13). 

7. With regards to claims 2 and 6, Mi as modified discloses the step of transmitting 
the identity of the client machine to the content provider to authenticate that the user is 
using the client machine thereby permitted data to be accessed only on the client 
machine (Mi, column 8 lines 32-46). 

8. With regards to claims 3 and 7, Mi as modified teaches the one-time password 
being a unique user identifier and the one time password being transmitted out of band 
(Aziz, column 2 lines 45-60). 
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9. With regards to claims 5, 13 and 16, Mi teaches everything as described above, 
and further teaches the use of a separate user supplied password (Mi, column 8 lines 
14-19). 

10. Claims 4 and 8 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
over Mi et al US Patent No. 6,418,472 in view of Olden US Patent No. 6,460,141 and 
Aziz US Patent No. 5,604,803 as applied to claims 1 and 5 above, and further in view of 
Thomlinson et al US Patent No. 6,389,535. 

1 1 . With regards to claims 4 and 8, Mi as modified fails to teach the second key 
being required in an algorithm that generates a session key used to decrypt data. 
Thomlinson teaches a second key being required in an algorithm that generates a 
session key used to decrypt data (Thomlinson, column 10 lines 11-16). At the time the 
invention was made, it would have been obvious to a person of ordinary skill in the art to 
utilize Thomlinson's method of session key creation with Mi as modified because it 
offers the advantage of allowing encryption of secret data in such a way as to ensure 
that data items don't need to be re-encrypted when a user changes his or her password 
(Thomlinson, column 10 lines 17-23). 

12. Claims 9-11, 14, and 17 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Mi et al US Patent No. 6,418,472 in view of Olden US Patent No. 
6,460,141, Aziz US Patent No. 5,604,803, and Jablon US Patent No. 6,226,383 in view 
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of Thomlinson et al US Patent No. 6,389,535. Jablon describes cryptographic methods 
for remote authentication. 

13. With regards to claims 9, 14, and 17, Mi teaches the generating of a first key 
known only to the content provider (Mi, column 7 lines 21-27, column 8 lines 47-61), the 
encrypting of a second key using the first key and an encryption algorithm (Mi, column 8 
lines 4-10, column 4 lines 21-28), decrypting the second key using the first key when 
the user desires access to data (Mi, column 8 lines 32-46), and accessing the data 
using the second key (Mi, column 8 lines 32-46). Mi lacks a reference to the use of a 
one-time password, the storing of the encrypted second key on the client machine, the 
sending of g A a to the client machine, generating g A b, encrypting g A b, and calculating 
g A (a*b) as part of the authentication procedure. Aziz teaches the use of a one-time 
password (Aziz, column 6 lines 61-64) and Olden teaches the storing of an encrypted 
second cookie on the client machine (Olden, column 23 line 55 - column 24 line 28 
"cookie"). Jablon teaches a procedure called Hidden-Password Validation that includes 
the sending of g A a to the client machine (Jablon, column 7 lines 16-23), generating g A b 
(Jablon, column 7 lines 23-26), encrypting g A b (Jablon, column 7 lines 23-26 g A b is 
exchanged using Diffie-Hellman encryption), and calculating g A (a*b) (Jablon, column 7 
lines 25-27) as part of the authentication procedure. At the time the invention was 
made, it would have been obvious to a person of ordinary skill in the art to utilize 
Olden's method of storing an encrypted cookie on a client machine, Aziz's method of 
using one-time passwords, and Jablon's exchange procedures with Mi's access control 
system because it would offer the advantage of relieving the user of the hassle of 
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having to enter authentication information each time access is requested to a service or 
object (Olden, column 23 lines 55-61), because it would reduce the likelihood of an 
unauthorized user gaining access to user passwords (Aziz, column 2 lines 1-13), and 
because it would help reduce the vulnerability of the password if a host computer's 
password database is exposed (Jablon, column 20 lines 17-20). 

14. With regards to claim 10, Mi as modified discloses the step of transmitting the 
identity of the client machine to the content provider to authenticate that the user is 
using the client machine thereby permitted data to be accessed only on the client 
machine (Mi, column 8 lines 32-46). 

15. Claim 1 1 is rejected under 35 U.S.C. 103(a) as being unpatentable over Mi et al 
US Patent No. 6,418,472, Olden US Patent No. 6,460,141, Aziz US Patent No. 
5,604,803, and Jablon US Patent No. 6,226,383 as applied to claim 9 above, and 
further in view of Schneier Applied Cryptography . Mi as modified, lacks a reference to a 
MAC authentication procedure. Schneier describes the one-way hash function termed 
a MAC that is used to verify authenticity (Page 455, Section 18.14). At the time the 
invention was made, it would have been obvious to a person of ordinary skill in the art to 
utilize Schneier's MAC authentication on g a * b to authenticate the server to the client 
because it provides a verification method that is reliant on having the same key. Both 
client and server generate the same key during the authentication procedure so the 
MAC authentication would be an easy way to check authenticity without needing 
security since it is a one-way function (Page 455, Section 18.14). 
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Conclusion 



16. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Andrew L Nalven whose telephone number is 703 305 
8407. The examiner can normally be reached on Monday - Thursday 8-6, Alternate 
Fridays. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gregory Morse can be reached on 703 308 4789. The fax phone number 
for the organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 
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